Pacific Rim: Delving into the Counter-Offensive—Tactics and Techniques Employed to Eliminate Threats Originating in China
For over five years now, Sophos has been delving into the activities of multiple China-based groups that are targeting Sophos firewalls, utilizing botnets, innovative exploits, and customized malware.
Collaborating with other cybersecurity firms, governments, and law enforcement bodies, we have managed to attribute specific patterns of observed actions to Volt Typhoon, APT31, and APT41/Winnti with varying degrees of certainty.
Through the efforts of Sophos X-Ops, a research and development operation in the Sichuan region has been identified with a high level of confidence. In accordance with China’s laws concerning vulnerability disclosure, X-Ops assesses confidently that the developed exploits were later shared with multiple distinct state-sponsored groups with diverse objectives, capabilities, and post-exploitation techniques.
During the monitoring period, Sophos has recognized three critical changes in the behavior of attackers:
- Shifting their focus from widespread noisy attacks (deemed unsuccessful attempts by X-Ops to create operational relay boxes [ORBs] for future targeted attacks) to more covert operations aimed at specific high-value targets and critical infrastructure primarily situated in the Indo-Pacific region. Targeted organizations include nuclear energy providers and regulators, military entities, telecommunications companies, state security agencies, and government institutions.
- Enhancements in stealth and persistence capabilities. Recent noteworthy Tactics, Techniques, and Procedures (TTPs) involve a greater reliance on living-off-the-land techniques, introduction of tampered Java classes, deployment of memory-only Trojans, utilization of a large previously undisclosed rootkit (with features indicating cross-platform multi-vendor potential), and an early version of a UEFI bootkit. X-Ops believes this to be the first documented case of bootkit implementation on a firewall.
- Improvements in threat actor Operational Security (OPSEC) practices, including disrupting firewall telemetry gathering processes, reducing detection and response effectiveness, and hindering open-source intelligence (OSINT) investigations by minimizing digital traces.
Responding to appeals from NCSC-UK (as elaborated upon by NCSC-UK Chief Technology Officer Ollie Whitehouse) and CISA (in their Secure-By-Design best practices article), our objective is to openly highlight the widespread exploitation of edge network devices by state-sponsored adversaries.
For the sake of collective resilience, we urge other vendors to follow suit.
Table of Contents
Edge network devices, coveted targets utilized by well-equipped adversaries for initial entry and persistence.
Defenders must consider this in their strategies for detection and response. To assist defenders, Sophos has:
- Supplied TTPs and IOCs in the appendix of the comprehensive chronology to aid in identifying detection opportunities for defenders
- Outlined the procedures employed to identify and counter attacks against their customers’ firewalls
Nation-state attackers leverage both undisclosed and known vulnerabilities to target edge devices.
This targeting is not confined to Sophos firewalls alone; all edge devices are potential targets, evident from published CVEs.
- Adhere closely to your vendor’s device hardening guide (Sophos’ guide is available here) to lessen the attack surface area and decrease the exploitability of zero-day vulnerabilities, paying particular attention to administrative interfaces
- Activate available hotfixes and establish mechanisms to monitor your vendor’s communications regarding vulnerability disclosures — promptly take action as needed
- Ensure that your hardware and software are up-to-date and that your vendor is dedicated to issuing security updates
State-sponsored targeting is not limited to prominent espionage targets.
-
- Threat actors utilize edge devices as operational relay boxes (ORBs) for launching attacks on subsequent targets and concealing the true source of attacks
- In an intricately connected digital environment, numerous organizations are part of critical infrastructure supply chains and are potential targets for actors seeking to disrupt essential services
A comprehensive timeline of the events described in this summary report can be found in the technical attachment to this article. Relevant sections of the timeline are linked for each segment below to offer detailed context.
Incipient infiltration and reconnaissance
The first incursion did not target a network device but rather the sole documented attack on a Sophos facility: the headquarters of Cyberoam, an Indian subsidiary of Sophos. On December 4, 2018, analysts from the Sophos Security Operations (SecOps) team detected this device conducting network scans. A remote access trojan (RAT) was found on a low-privilege system utilized to operate a wall-mounted video display at Cyberoam’s offices.
Initial investigations hinted at an unsophisticated actor based on discovered malware. However, subsequent details altered this perspective. The intrusion unveiled an intricate and previously unseen rootkit labeled Cloud Snooper, along with a novel method to penetrate cloud infrastructure through a misconfigured Amazon Web Services Systems Manager Agent (SSM Agent).
Although we provided an analysis of the incident with some specifics in 2020, we refrained from attributing the attack at that time.
We now believe with substantial certainty that this marked the initial attempt by a Chinese entity to gather intelligence to aid in the development of malware targeting network devices.
Massive assaults
Commencing in early 2020 and continuing well into 2022, the adversaries invested substantial resources and effort into launching multiple campaigns to identify and subsequently target internet-facing network appliances. Through a swift series of attacks, the adversaries leveraged a sequence of undisclosed vulnerabilities they had discovered and then exploited, attacking WAN-accessible services. These exploits provided them access to data stored on the device and facilitated the injection of payloads into the device firmware, and in particular cases, to devices within the Local Area Network (LAN) situated behind the device within the organization’s network.
Soon after the commencement of these noisy attacks, Sophos became aware of them. In response, Sophos opted for a broad and public disclosure, reflected in a series of X-Ops blog posts, conferences, and seminars focused on our analysis and efforts to counter the threats. For instance, the report on the initial wave in April 2020 (termed Asnarök) disseminated within a week of the start of widespread attacks and was continually updated as the perpetrators shifted their tactics.
Sophos also engaged with organizations that had discontinued subscribing to updates.but continued operating (and susceptible) devices within their networks, alerting them about the potential risks of automated botnet attacks on their externally facing devices.
During two incidents (Asnarök and a subsequent attack called “Personal Panda”), X-Ops identified connections between ethical hackers responsibly reporting vulnerabilities and the threat actor groups outlined in this report. X-Ops has evaluated, with moderate confidence, the existence of a research community centered around educational institutions in Chengdu. It is believed that this community collaborates on vulnerability research and exchanges their discoveries with both vendors and entities linked to the Chinese government, including contractors engaged in offensive activities on behalf of the state. Nevertheless, the full extent and nature of these activities have not been definitively substantiated.
A detailed timeline of the widespread device attacks can be accessed in the comprehensive timeline.
Transitioning to covert operations
In the midst of 2022, the attacker altered their strategies to highly focused, narrowly tailored attacks targeting specific organizations: government agencies; operators of critical infrastructure; research and development institutions; healthcare providers; retail, financial, and military-related businesses; as well as public sector entities. These attacks, employing various Tactics, Techniques, and Procedures (TTPs), were characterized by reduced automation and a more hands-on approach by threat actors, who manually executed commands and deployed malware on the compromised devices.
Throughout these attacks, a range of stealthy persistence methods were formulated and utilized, with notable ones including:
- An exclusive, fully functional userland rootkit
- Utilization of the TERMITE in-memory dropper
- Repackaging legitimate Java archives with Trojanized class files
- An experimental UEFI bootkit (observed solely on a test device controlled by the attacker)
- Acquisition of valid VPN credentials through malware on the device and by means of an Active Directory DCSYNC
- Interception of firmware upgrade processes to endure firmware updates
While the exploitation of known Common Vulnerabilities and Exposures (CVEs) (mentioned above) was the prevalent initial point of access employed to deploy the aforementioned tactics, X-Ops additionally detected instances of initial access using legitimate administrative credentials from the local area network side of the device. This implies the utilization of edge devices for persistence and remote access post gaining initial network entry via alternative methods.
Enhancements in Operational Security
Throughout the campaigns, the threat actors improved their capabilities to conceal their operations from immediate detection by obstructing the transfer of telemetry data from the device to Sophos.
As early as April 2020, the attackers endeavored to sabotage the hotfix mechanism on the compromised devices. Subsequently, they expanded their focus to disrupt the telemetry system on the devices to hinder Sophos from receiving early alerts about their actions.
Moreover, the threat actors identified and impeded telemetry tracking on their test devices following X-Ops’ use of that function to gather data on exploits while they were under development.
Furthermore, the operational security practices of the exploit developers evolved over time. X-Ops observed a significant decline in the trail of traceable information through open-source intelligence practices from previous attacks.
Final Remarks
The threat actors have persistently conducted these attacks for over five years. This glimpse into our historical and ongoing investigations into these attacks forms the narrative that we intend to continue sharing over time, as long as it does not impede or compromise ongoing law enforcement inquiries.
The threat actors appear to possess ample resources, patience, creativity, and exceptional knowledge of the internal structure of device firmware. The attacks highlighted in this research exhibit a level of dedication to malicious activities rarely witnessed in Sophos’ nearly four-decade existence as a company.
Sophos X-Ops welcomes collaboration with others and is willing to share further detailed Indicators of Compromise (IOCs) on a case-by-case basis. Contact us via pacific_rim[@]sophos.com.
For the complete account, kindly refer to our landing page: Sophos Pacific Rim: Sophos defensive and counter-offensive operation with nation-state adversaries in China.
Acknowledgments
Sophos extends appreciation to ANSSI, Barracuda, Bugcrowd, CERT-In, CISA, Cisco Talos, Digital Shadows (now part of Reliaquest), FBI, Fortinet, JCDC, Mandiant, Microsoft, NCA, NHCTU, NCSC-NL, NCSC-UK, NSA, Palo Alto Networks, Recorded Future, Secureworks, and Volexity for their valuable contributions to this report or to the investigations covered within.
About Author
